Oracle is planning to fix 40 security vulnerabilities when it releases its Critical Patch Update for Java SE on Tuesday. All but three of the holes being plugged can be remotely exploited without authentication.
http://www.scmagazine.com.au/News/347056,java-closes-40-vulns.aspx